blog
84 posts tagged with “blog”
PCI DSS v4 is Coming – What Can You Rely On
04-Mar-2022PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving…
Read More >8-Digit BINs and the Great PCI Truncation Reset
20-Jan-2022Visa, MasterCard, Discover, JCB, and Union Pay hit ‘reset’ on the PCI DSS truncation rules in December 2021 and January 2022 providing an…
Read More >Addressing Log4Shell
16-Dec-2021The Log4Jshell vulnerability has sparked an Internet firestorm and may potentially be one of the most devastating bugs in years. But why…
Read More >Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff
07-Dec-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >A-Movember-Moment
08-Nov-2021Control Gap is proud to introduce our participants for MOvember 2021: Ben, Connor, Corey, and David who help us raise funds for…
Read More >Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print
01-Nov-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >Non-Compliance Lesson No. 1: Wait until your assessment to validate scope
07-Oct-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse
23-Sep-2021According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're…
Read More >Why Organizations Need to Become Crypto-Agile and What that Means
16-Sep-2021Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES…
Read More >Why did my PCI DSS Scope Explode?!
01-Sep-2021It can be extremely frustrating for a compliance team to realize that additional systems are in-scope. It means additional and unexpected…
Read More >Don’t Tie Yourself in Knots Thinking you can Store Payment Card Verification Codes/Values
26-Aug-2021Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present…
Read More >Our Offensive Security Hiring Process
18-Aug-2021Control Gap is expanding our Offensive Security team and looking for talented individuals. To ensure that we have the right team, we needed…
Read More >The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming
05-Aug-2021Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants…
Read More >The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript
05-Aug-2021In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and…
Read More >The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules
05-Aug-2021It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security…
Read More >Why do some Issuers believe they don’t need to be PCI DSS compliant?
19-Jul-2021Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More…
Read More >6 Ways to Deal with the Magnitude of PCI DSS
19-Jul-2021Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the…
Read More >How a $1200 Graphics Card Threatens Your PCI DSS Compliance and Security
20-May-2021Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their…
Read More >Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest
23-Apr-2021The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN…
Read More >The MS Exchange - World-Wide Exploitation
17-Mar-2021For organizations running on-premise Microsoft Exchange servers, we want to make you aware of four severe zero-day vulnerabilities announced…
Read More >Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain
28-Feb-2021If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit…
Read More >PINs, Passwords, and PCI
18-Feb-2021PINs, Passwords, and PCI What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS…
Read More >LLMNR / NBT-NS: You’re Poison!
09-Dec-2020Attention Windows sysadmins: search for "LLMNR" and once you've finished panicking, then get that nonsense disabled. Over the past year…
Read More >CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind?
10-Sep-2020Many organizations have either undergone or are planning migrations or acceleration of call centers, remote working, and online presence…
Read More >Did you MEME to share your personal info?
01-Apr-2020What’s your Covid-19 Plan? Our plan is to curl up in the fetal position in a supermarket with a tin-foil hat. But seriously… Everyone…
Read More >The ENTITY (a scary PCI monster)
31-Oct-2019If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about…
Read More >Control Gap gets Cyber!
26-Sep-2019We are pleased to announce that we are now offering new CYBERSECURITY services! We want the name Control Gap to be synonymous in your mind…
Read More >Control Gap at Vancouver PCI Community Meeting
03-Sep-2019Control Gap is excited to announce that we will be exhibiting at this year’s @PCISecurityStandardsCouncil Community Meeting on September 1…
Read More >A Misadventure on THE AIRLINE THAT SHALL NOT BE NAMED
27-Aug-2019Whether you embrace or eschew the label of Road Warrior, if you've traveled extensively for business then you have experienced the trials…
Read More >What's the minimum I need to do for PCI?
18-Jul-2019As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do…
Read More >Why POI Tamper Inspections are so Important
19-Jun-2019It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device…
Read More >NIST is Sunsetting Triple DES - so what will the Financial Industry do?
09-Apr-2019NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple…
Read More >NIST Update to Format Preserving Encryption Standard affects PCI Use Cases
21-Mar-2019Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev…
Read More >PCI SPoC (PIN on COTS) - Grand Experiment in Mobile Payments
28-Jan-2019Big changes are coming to payment security in 2019. PCI is launching a grand experiment in payment security - Software PIN on COTS (SPoC…
Read More >How can I tell if the site I shop from is secure?
05-Dec-2018Payment card breaches concern customers and businesses alike. A recent epidemic of e-commerce breaches is focusing attention on what makes a…
Read More >PCI DSS v3.2.1 - What You Need to Know to Stay PCI Compliant
07-Nov-2018To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…
Read More >Control Gap is Proud to Support Casey MacKay in the 2018 Toronto Maple Leafs Skate for Easter Seals Kids!
19-Oct-2018We are excited to announce that we are supporting Casey Mackay, a student at Humber College finishing his program in Broadcasting…
Read More >Social Network Spiraling - Everything Going On with Facebook Up Until Now
04-Oct-2018In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below: September's Breach The…
Read More >If You Take Credit Cards By Phone or Mail - You Need to Read About Visa's October Mandate
12-Sep-2018PCI Rules Aren't the Only Ones You Need to Comply With Most organizations concerned with payment compliance are focused on the PCI Data…
Read More >The 3 Approaches to Penetration Testing for PCI DSS
11-Apr-2018Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS…
Read More >Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal!
20-Mar-2018We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches…
Read More >PCI DSS May Require Pulling Up Your SOX (or ISO)
22-Feb-2018Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a…
Read More >17 Predictions About the Next Version of PCI DSS
10-Jan-2018PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some…
Read More >Understanding "Connected-to" - Is The Internet In Scope For PCI DSS?
07-Dec-2017PCI DSS is all about scope. Getting scope right or wrong is perhaps the single most critical factor determining the ultimate success or…
Read More >Control Gap Inc. Supports Easter Seals Ontario
23-Nov-2017This year, and for many years prior, Control Gap Inc. continues to be a proud supporter of Easter Seals Ontario through the Toronto Maple…
Read More >In The Payments World, Even Canadians Have ZIP Codes!
19-Sep-2017Many Canadians traveling to the US have experienced the frustration of running into a form of address verification. This is a common extra…
Read More >Hurricane Harvey: How To Avoid Scams When Donating To Natural Disaster Charity Groups
31-Aug-2017It's hard to imagine a natural disaster until it starts happening in your own backyard. Unfortunately, the people of Texas have experienced…
Read More >NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe
19-Jul-2017Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography…
Read More >Understanding P2PE, NESA, E2EE, and PCI Compliance
27-Jun-2017Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and…
Read More >PCI Compliance and the Intel AMT Vulnerability
15-May-2017On May 1st a critical new and possibly unprecedented vulnerability was announced. The flaw in Intel's Active Management Technology (AMT…
Read More >8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified
10-May-2017Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with…
Read More >7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise
26-Apr-2017Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved…
Read More >3 Ways 8-Digit BIN Ranges May Impact PCI Compliance
11-Apr-2017New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to…
Read More >What The CIA WikiLeaks Dump Has In Common With PCI Compliance
14-Mar-2017In recent news, WikiLeaks exposed a huge trove of CIA documents. Journalists and bloggers will of course have a field day with this and the…
Read More >SHA-1 Is Dead!
23-Feb-2017History The SHA-1 cryptographic hash function was introduced in 1995. Weaknesses began to be discovered in 2005, and in 2011 NIST deprecated…
Read More >2017 Toronto Ride To Conquer Cancer
02-Feb-2017This year, Control Gap Inc. has donated $2,500 to The Enbridge Ride to Conquer Cancer which has been supporting the Princess Margaret Cancer…
Read More >What Is The Difference Between Masking And Truncation In PCI Compliance?
17-Jan-2017Masking and truncation of cardholder data may seem the same on the surface (eg. 423456XXXXXX7890); however, each implies different…
Read More >What Is Cardholder Data In PCI Compliance?
16-Jan-2017Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands. CHD includes…
Read More >What Is Sensitive Authentication Data in PCI Compliance?
11-Jan-2017Sensitive authentication data, aka SAD, in PCI compliance is data used by the issuers of cards to authorize transactions. Similar to…
Read More >Supporting the Uganda Plastic Surgery Project
10-Jan-2017In September 2016, Control Gap Inc. donated $5,000 to the University of British Columbia's Uganda Plastic Surgery Project. About the Mission…
Read More >Call Centers and PCI Compliance: Things You Need to Know
15-Dec-2016Call centers can be challenging places. They range from small and simple to large and complex. For many businesses they are a place where…
Read More >In Support of The Canadian Cancer Society
04-Dec-2016In October 2016, Control Gap donated $5,000 to FCT in support of The Canadian Cancer Society's Relay for Life. In November, Gary Gallacher…
Read More >4 FAQs The PCI Security Standards Council Renamed in 2016
02-Dec-2016Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of…
Read More >PCI Announces NESA - A Stepping Stone To P2PE
29-Nov-2016Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This…
Read More >PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money
22-Nov-2016While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance…
Read More >3 Risks of Ignoring PCI Compliance
15-Nov-2016With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data…
Read More >12 Tips To Avoid Credit Card Data Breaches
01-Nov-2016PCI DSS: 12 Requirements to Protect Your Customer’s Credit Card Data Traditionally, ill-intentioned criminals have targeted banking…
Read More >PCI Compliance & Why You Need to be Compliant
27-Sep-2016Getting paid is just as important as PCI compliance. Businesses of all sizes rely on cash flow to effectively manage business operations. To…
Read More >What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.
26-Aug-2016Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the…
Read More >How Microsoft Support Expiry can Affect Your PCI Compliance
26-Jul-2016Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft…
Read More >PCI DSS: Guide to Effective Daily Log Monitoring
14-Jul-2016Despite the widespread adoption of logging as part of operational security practices, organizations have continued to be challenged in…
Read More >PCI Under The Microscope
28-Jun-2016The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year…
Read More >PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant
08-Jun-2016To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…
Read More >Is Your Payment Application Ready to Leap to PA-DSS Version 3.2?
08-Jun-2016With the release of PA-DSS 3.2, on June 8th, the PCI Council has provided sunset dates for PA-DSS 3.1 applications and application listing…
Read More >The Panama Papers - a new kind of breach?
06-Apr-2016In the world of data breaches, it’s not often that we see something totally new. This last week we may just have had such a thing. Most…
Read More >PCI DSS V3.2 Is Almost Here!
06-Apr-2016The PCI Security Standards Councils confirmed last week that the updated version of PCI DSS (v3.2) will be released at the end of April 201…
Read More >Why the Apple vs. FBI Dispute Is A Good Thing
01-Mar-2016The Internet and mainstream media has been ablaze with articles and opinion pieces about the dispute between the FBI and Apple over an…
Read More >Just like spring - a new version of PCI DSS will come early this year!
26-Feb-2016Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016. Ever since the sunset…
Read More >Sunset of SSL Extended
22-Dec-2015If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent…
Read More >Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI?
17-Apr-2015Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI…
Read More >PCI DSS Version 3.1 Has Arrived
15-Apr-2015The PCI Security Standards Council today published the expected update to PCI releasing these documents including some specific migration…
Read More >PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates
10-Mar-2015The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they…
Read More >What is Format Preserving Encryption and is it suitable for PCI DSS?
23-Feb-2015Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying…
Read More >Analysis of PCI DSS 3.0
01-Oct-2014PCI DSS 3.0 was released Nov 2013. There are new and changed requirements with a more organized look. Check out our in-depth analysis and…
Read More >